Cybersecurity Tops Priority List For CEOs After String of High-Profile Hacks
Cyber threats have zoomed to the top of chief executives' worry lists for fear a data breach could cost them their jobs and take down their businesses.
The fallout of attacks on companies from Target Corp. to Yahoo Inc. and, most recently, Equifax Inc. has thrust more corporate bosses to the front line of cybersecurity issues and changed the way they work.
No longer leaving data protection just to I.T. departments, CEOs are now often the ones reassuring nervous boards, stressing the importance of data-security to employees and are leading cyber drills to gird for a potential hack. And as especially ripe phishing targets, chief executives -- more than many other staffers -- are being forced to rein in once-freewheeling email habits.
The number of U.S. data breaches jumped to a record 791 in the first six months of 2017, according to the nonprofit Identity Theft Resource Center and data security firm CyberScout. That is a 29% jump from the same period last year. At the same time, U.S. CEOs surveyed by KPMG LLP this year on average ranked cybersecurity as their top investment focus over the next three years, up from its second-place spot in last year's survey.
"This is something a lot of us just didn't have to worry about five years ago -- someone else was handling that," says Michael Riggs, chief executive of car-hauling company Jack Cooper Holdings Corp. But now, "any CEO who's not putting this at the top of their priority list is crazy."
That is partly because their jobs are now often the first on the line. Breaches at Target, Sony Pictures Entertainment and Equifax Inc. all spurred the departures of their bosses. Yahoo's then-CEO Marissa Mayer lost her 2016 bonus after the attack that occurred on her watch.
"The more it hits everyday citizens, the more likely it will cost a CEO their job," says Brett Stephens, chief executive of board and executive search firm RSR Partners.
Jack Cooper, which has more than 3,000 employees and transports cars for General Motors Co., Ford Motor Co. and other auto makers, doesn't just have to guard its own data. It is under pressure not to become the inadvertent portal through which hackers could gain access to its car-manufacturing customers, whose systems interface with theirs.
"They are a lot bigger pot of gold than we are, and we have to give assurances that we're not just OK, but that we're making this a top priority as far as the CEO and board are concerned," Mr. Riggs says.
Earlier this year, he rearranged the company's organizational structure so that the chief information officer reports directly to Mr. Riggs. On the executive team's conference call every Monday, the CIO updates Mr. Riggs and the rest of Jack Cooper's top executives on cybersecurity matters, from software problems with suppliers to other companies that have suffered attacks. On occasion, the team has used the weekly updates to act immediately on a cybersecurity recommendation, such as a software upgrade or process change.
Among the biggest cyber risks to companies are CEOs themselves. The sheer amount of publicly available information about them makes it easy for so-called phishers to craft authentic-appearing email urging them to click on malicious links or to initiate money transfers, experts say.
For Michael Hansen, CEO of educational-content company Cengage Learning, that risk means he often can't immediately respond to email from students and other customers. He says he makes a point of answering each email, which during the back-to-school season number as many as five a day. Now, though, he says he first has to scrutinize the email address and message or send them to the company's I.T. department for verification, which usually takes a couple of hours.
"I would love to just hit the 'reply' button," he says. "But at the same time I have to be conscious that not everyone could be legitimate."
A few times a year, Mr. Hansen and other senior managers take part in cyber drills in which they walk through a simulated phishing, ransomware or other cyberattack and determine when to inform customers and investors of the breach.
For a business leader, "going through the process helps you appreciate the level of pain this will cause in real life," says John Ackerly, a former tech policy director in George W. Bush's White House who is now CEO of Washington-based encryption and data-protection firm Virtru Corp. Plus, "it gives you insight into the quality of your team and where the weak links are."
A cottage industry of training courses, largely provided by consulting firms, has sprung up to demystify cybersecurity for C-suite executives and board directors, who are increasingly putting chief executives under pressure to bolster their defenses.
"We're not turning board members into technologists," says Tom Ridge, the former Homeland Security secretary and Pennsylvania governor, whose risk and consulting firm, Ridge Global, has put 225 board and senior company executives through a 16-hour cyber training program since it began earlier this year. "But it gives them a foundation to exercise their duty in financial oversight."
Angus Loten contributed to this article.
Write to Vanessa Fuhrmans at vanessa.fuhrmans@wsj.com
(END) Dow Jones Newswires
October 12, 2017 11:25 ET (15:25 GMT)